About OWASP Dependency Check

Please refer to history for information on released and older trunk vers=
ions. The links might fail though, since the OFBiz svn repo structure has c=
hanged while splitting frameworks from plugins.

OWASP Dependency Check is a tool fo=
r checking the Java libraries you use have no security issues. We use it th=
rough a Gradle plugin.Once the CVEs re=
ferences the Gradle dependencies are up to date, as of 2016/09/05, it takes=
3,5 minutes on a standard machine to check the dependencies (it was 2+ min=
utes before Gradle)

Here is the Gradle command line to use to start the check:

gradlew -PenableOwasp dependencyCheckAnalyze

Trunk reports

Since OFBiz uses Gradle, all dependent libraries (ie also dependencies f=
rom the libraries OFBiz uses and recursively) are loaded by Gradle and anal=
ysed by the OWASP Dependency Check plugin. So it's materially impossible to=
check all the possible vulnerabilities. I decided to only check the higher=
ones, currently (2017-09-29) we have only already know ones: